126 Responses

Many people in telecommunications are very unhappy about all this. Understandably.

Then they should simply refuse to cooperate with SIS's underwear sniffing. The government can hardly shut down the entire NZ internet, and if a civil disobediance campaign is widespread enough (people refusing to fill out the forms, refusing to fill them out accurately, and refusing to speak to SIS snoops seeking to check referees), then that is the option they will face.

OTOH, if you don't want to play, just tell them that you're a drug-addicted communist wikileaks-supporter with huge financial problems who is cheating on your partner (that establishes three of the classic motives: Money, Ideology, Compromise). Problem solved.

Yeah, nah. Not if you have a real job.

The Act, as I understand it, allows the GCSB to shut down network provision businesses who don't comply, which means that if they can't get any staff with security clearances, then they (potentially) can't operate, which means they'll (somewhat justifiably) make passing a security clearance check a requirement to be/stay employed.

It's one thing to muck the Government around when it just costs them time, it's another when it affects your ability to pay the rent.

Not as the USA does, where you get vetted and it stays with you as an individual. Generally, security clearances apply only to staff of a government organisation and are the decision of the Chief Executive of that agency and only for that agency.

Just like in the US, actually. A clearance for Department of Defence does not translate to a clearance for Department of Energy (home of the US nuclear weapons fabrication system) does not translate to a clearance for the Department of Homeland Insecurity/Department of Justice. They'll recognise each others' clearances for information sharing, but that's not the same as being granted a clearance for that agency.

There, as here, a vetting of sufficient recency can be "transferred" to another government sector for use in considering a new application for a clearance, but the clearance itself is granted by the agency.

Not correct. GCSB must approve changes to broad categories of a network, but not all changes. You can re-number your network as often as you wish. You can change your network administration credentials without seeking GCSB approval. You can deploy whatever CPE you choose.It's a bloody stupid rule, but it's not an absolute "You can't even pick your nose without our say-so" rule.

“all your employees must receive a security clearance”

Also not in the least bit correct. A provider must nominate an employee (singular) to apply for a secret-level clearance, but there is zero requirement that all employees be even vetted, never mind granted a security clearance.

I’d bet that if a network provider found a way to firewall off any command/control signals from outside their network, the GCSB would tell them to stop.

GCSB has no mandate to make such a demand. The law is pretty clear that interception capability is an on-premises activity, not one that takes place remotely. There is zero obligation on providers to allow GCSB to electronically prowl the network.

But demanding it of civilians who have nothing to do with the government

They may not want to have anything to do with the government, but by dint of working for a network provider who is legally required to have something to do with the government, they now do have something to do with the government. Interception capabilities for criminal investigations are sensitive subjects. It's not surprising that there's no desire at the GCSB to have any uncleared Joe have access to snoop at such things.

A "service provider" under the Bill is any person within or outside New Zealand (other than a network operator) who provides a telecommunications service in New Zealand to an end-user, as part of a business or otherwise. Subject to considerable limitations, the responsible Minister may, on the application of a surveillance agency, direct a service provider to comply with one of a specific list of network operator duties, including duties to be "intercept ready" or "intercept accessible" (and may direct the operator to comply with corresponding network operator "obligations"). The limitations on these directions include that the surveillance agency must notify the affected service provider and give it a reasonable time within which to make submissions to the Minister. The agency must also consider whether that lack of interception capability on the provider's telecommunications service adversely affects national security (including New Zealand's economic well-being) or law enforcement. If the Minister makes such a direction the service provider may request a review of the decision by a panel of suitably qualified independent persons, who must each have the appropriate security clearance.

The definition of "service provider" is wide enough to cover any business or agency making internet or email services available to its staff or customers, even on a non-commercial basis, and would include the likes of Google, Yahoo! and Facebook.

The "TICS" Bill imposes significant obligations on telecommunications network operators. It also has the potential to impose significant obligations on other providers who might not generally be considered to be in the business of providing public telecommunication services.

In addition, while surveillance agencies already have some powers under the Telecommunications (Interception Capability) Act 2004, the Bill extends the scope of those powers and extends their application beyond the traditional telcos and imposes interception-related obligations on a very broad class of service providers (based both in New Zealand and overseas)

Perfectly cromulent sir...On the subject of security clearence. We used to have the "Official Secrets Act" enacted in 1951, repealed? dunno.I had to sign it back in the UK, for that is from where it henced.I was working in one of the Royal Parks, Greenwich, as a gardener. I had the joy of saying, when asked by an elderly lady as to what I was planting "I could tell you but I would have to kill you"Wasn't all fun and games though I can tell you.... actually I can't.

After all, you send a squad car to arrest a copyright infringer who fails to appear in court after a summons. You launch a helicopter raid on a terrorist’s mansion.

You obviously missed the memo!Things have been ratcheted up a notch or two. Nowadays: you send a helicopter raid to neutralise a copyright infringer who fails to appear in court after a summons. You launch a drone-based smart missile on a terrorist’s mansion.

Many people wrote to the Minister complaining the definitions of network operator were way too broad.

She replied essentially saying we were reading the legislation wrong and that only parties covered under existing legislation were intended. No, there was no need to add clarifying language to the bill.

Quite an interesting discussion going on in the network community here:

The government can hardly shut down the entire NZ internet, and if a civil disobediance campaign is widespread enough (people refusing to fill out the forms, refusing to fill them out accurately, and refusing to speak to SIS snoops seeking to check referees), then that is the option they will face.

Why not? China shut down the entire internet in Xinjiang over race riots in Urumqi a few years back. Perhaps a little more likely would be the government making business very difficult for a few telcos to scare the others into line along with nice, friendly ministers telling the public that if you've got nothing to hide, you've got nothing to fear... But still, it's just a matter of pulling the plug, and then what's the public supposed to do?

the system ignored this manually keyed altitude data. It started evaluating all possible altitudes along the U-2’s planned flight path for potential collisions with other aircraft. That caused the system to exceed the amount of memory allotted to handling the flight’s data, which in turn resulted in system errors and restarts. It eventually crashed the ERAM look-ahead system, affecting the FAA’s conflict-handling for all the other aircraft in the zone controlled out of its Los Angeles facility.

I'm happy to see that the GCSB's list of rules is marked twice on every page "UNCLASSIFIED" ... sadly I guess that means that there are other rules that people all have to adhere to that are classified

I can see the security model they're aiming at being similar to Australia's. There, (mostly) public servants can get a security clearance at one of four levels, which can be transferred between agencies (there's a process to this - you don't just get access to every agency's "Secret"-classified information unless that agency authorises it). It's much better than the old system of each agency having to do their own security checks.

Contractors for govt organisations are required to get clearances suitable for any classified material they'll potentially have access to. Staff at private companies (e.g. Telstra) don't require security clearances, except for specified individuals that may need to review classified material. Most of their stuff would be classified by the govt as commercial-in-confidence, so no clearance required for that.

But you do get stupid things like the situation I'm in, where I work for a Govt Business Enterprise, which is commercial-in-confidence. But they are moving some of their data to a co-lo data facility with other govvie organisations, and I would need a security clearance to access that infrastructure. As an NZ citizen, I'm not eligible, so too bad if something goes tits-up there while I'm on call.

Let’s not get too silly. A “telecommunications service” is about connectivity – the means to transfer the data bits. A website is as much a “telecommunications service” as a personal call

Not to mention that the "service provider" and "network operator" definitions were developed in discussion with the industry. They're well-understood terms in that context. The reason they seem so broad is that wholesale service relationships (for example) are quite hard to explain in simple terms.

...means any person providing a Telecommunication Service to an End Customer that has the Billing Relationship with the End Customer for that service. The same person may be both an ASW and a RSP; or both a VW and a RSP; or both an ANP and a RSP (except in the case of Telecom NZ Limited).

Meh, CentOS and VMWare would be part of the basic infrastructure of many large NZ organisations not least public sector ones. Suggesting a sinister coincidence is drawing a long bow. And I say that as someone who is convinced they *are* in cahoots.

For the non technical, CentOS is a kind of Linux operating system, VMWare is a technology for making one big grunty server behave like a lot of small servers so you can consolidate services on less hardware -- they aren't nefarious tools for doing bad.